North Korean Ransomware Maui Attacks Healthcare Companies
This week, the FBI, CISA, and the US Treasury issued a joint warning about the Maui ransomware that North Korean hackers use. According to experts, the malware purposefully attacks medical organizations and public health.
The warning states that since May 2021, hackers have been using the Maui ransomware to deliberately disrupt various healthcare services, including diagnostics, electronic health records, data visualization, and service intranets. At the same time, the initial point of penetration into the networks of the affected organizations is unknown.Let me remind you that we also wrote that Cybercriminals attacked the UHS healthcare network, and also that Data of 2 million Patients Leaked Due to Hack Shields Health Care Group.
According to Stairwell analysts, whose research was the basis for the warning issued by the authorities, the deployment of Maui in the networks of the victims is manual, and the malware operators target certain files that they want to encrypt.
In addition, Maui does not leave any ransom messages or data recovery instructions on encrypted machines.
Maui uses a combination of AES, RSA and XOR for the encryption process: files are encrypted with AES using a unique key, which is then encrypted with the RSA key pair generated when the malware is first run, and then the RSA public key is encrypted using another hardcoded public key R.S.A.
US officials believe that this campaign is based on the willingness of medical institutions to pay a ransom, as they need to quickly recover from an attack and ensure uninterrupted access to critical data and services, because people’s lives and health depend on them.